Security researchers have discovered a cluster of over a dozen US-based servers being used to host and distribute 10 strains of malware in large-scale phishing campaigns.
The web servers in question are owned by FranTech Solutions, a bulletproof hosting provider which uses a datacenter in Nevada, according to security firm Bromium.
Malware hosted on the servers apparently features five families of banking trojans including Dridex and IcedID, two families of ransomware including GandCrab, and three information stealers.
“The variety of malware families hosted, and the apparent separation of command and control (C2) from email and hosting infrastructure, suggests the existence of distinct threat actors: one responsible for email and hosting, and others in charge of operating the malware,” explained Bromium.
“Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet.”
The phishing campaigns used to distribute malware hosted on these servers appear to be pretty standard, using social engineering to trick recipients into running malicious VBA macros on the attached Word document, thereby triggering a covert malware download.
Bromium speculated that the US may have been chosen for this endeavor rather than a country more tolerant of malicious online activity as it could enable a higher success rate with the mainly US targets.
“The HTTP connections to download the malware from the web servers are more likely to succeed inside organizations that block traffic to and from countries that fall outside of their typical profile of network traffic,” it said.
A Bromium spokesperson confirmed to Infosecurity that the firm had contacted the relevant authorities, but as of Wednesday, some of the servers were still up and running.